Penetration Testing mailing list archives
RE: Fwd: Terminal services and remote programs.
From: "Nathaniel Carew" <nathaniel.carew () gmedia com au>
Date: Thu, 1 May 2008 14:08:02 +1000
Something i do with MS TS boxes, is setup a local SSH server and force the clients to connect via ssh + certificate then tunnel 3389 through putty(or similar) to connect. Nathaniel Carew G Media -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Sat Jagat Singh Sent: Thursday, 1 May 2008 12:48 AM To: PenTest Subject: Re: Fwd: Terminal services and remote programs. Our team regularly breaks into Terminal Servers through social engineering and phishing techniques. So, measure #1 to protect these: require either ipsec vpn to be able to connect to the box or two factor authentication such as RSA or Vasco to get on it. When I have credentials, I have never yet seen a Terminal Server or Citrix Metaframe server on which I wasn't able to gain unauthorized access to programs and escalate that to where I could get to most anything, no matter how tightly somebody thought it was locked down. There are dozens of ways to break out of an application jail in Windows. 1) In the programs you mention, just go to the file open dialog box. Now you basically have a Windows Explorer interface. You can use this to create shortcuts on your desktop to executables that may be otherwise inaccessible, browse the network, delete files and more. 2) The help system for the application is basically an Internet Explorer interface. This has been widely exploited by many people to carry out all kinds of mischief. 3) Application vulnerabilities that permit code execution. Critical measures to prevent these include: - install the system on an isolated network if possible, or restricted DMZ otherwise; - such servers should be either standalone or a member of a Windows domain that is used only for administering the Terminal Servers; - ensure that all of the application patches are installed promptly Other security controls are also relevant, including, personnel controls such as background checks, user account management that include promptly deleting obsolete accounts. To answer your other question, if there is a patch-based vulnerability in the application that someone can exploit to execute code, it would typically give them the security context of their own user account. But I think their have been at least a few MS Office vulnerabilities that were exploitable to escalate privileges. It would depend on the nature of the vulnerability. Typically, MS has gotten better over time at limiting the opportunities to carry out exploits and the impact of the exploit when it does succeed. So, it would be worth considering Windows 2008 to deploy such a solution. While it is largely untested in the wild, it should benefit from Microsoft's improved development and testing processes under the "security development lifecycle" and "trustworthy computing" regime. --- On Fri, 4/25/08, Paul Halliday <paul.halliday () gmail com> wrote:
From: Paul Halliday <paul.halliday () gmail com> Subject: Fwd: Terminal services and remote programs. To: pen-test () securityfocus com Date: Friday, April 25, 2008, 4:03 PM I am just curious if any of you have performed an audit on a setup like this: In a nutshell, tech services is looking to offer the entire Microsoft Office suite and Adobe Creative suite through Terminal services. My immediate concern is, If there is a vulnerability in the remote apps, what will the context be for the attacker? Is there anything else I should be looking more closely at? Thanks. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
____________________________________________________________________________ ________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- RE: Fwd: Terminal services and remote programs. Nathaniel Carew (May 01)
- <Possible follow-ups>
- Re: Terminal services and remote programs. arvind doraiswamy (May 01)
- RE: Terminal services and remote programs. Thor (Hammer of God) (May 01)
- Re: Terminal services and remote programs. Paul Halliday (May 02)
- RE: Terminal services and remote programs. Thor (Hammer of God) (May 02)
- Re: Terminal services and remote programs. Paul Halliday (May 02)
- RE: Fwd: Terminal services and remote programs. Thor (Hammer of God) (May 02)
- RE: Fwd: Terminal services and remote programs. Sat Jagat Singh (May 05)
- RE: Fwd: Terminal services and remote programs. Shenk, Jerry A (May 06)